Would 6.1.7 be re-released due to this bug or just tagged as "do not use"?
Regards, William Crowell From: Sérgio Damo de Lemos <sergio.d.le...@gmail.com> Date: Friday, July 4, 2025 at 12:33 PM To: users@activemq.apache.org <users@activemq.apache.org> Cc: Jéan-Baptiste Onofre <j...@nanthrax.net> Subject: Re: What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where the images do not show up on the web user interface? [You don't often get email from sergio.d.le...@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi Matt, Yes, I am preparing a PR for that. I also noticed that some other pages in the web console are broken in the main branch (only in main, 6.1.7 release is working fine). I documented both issues and I am looking at them today: 1. https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9739&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436122789472%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=nZ6HAPe05PakeQWMEj2oD7eAaWXnhOkgXnE8QpffA5s%3D&reserved=0<https://issues.apache.org/jira/browse/AMQ-9739> 2. https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9740&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436122845598%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=1hfFh1wzGCMw%2BxdKDJuKlJfnapMAYfVciOrhddLK8cY%3D&reserved=0<https://issues.apache.org/jira/browse/AMQ-9740> I suspect it was a side-effect of when we removed the dependency on commons-lang3, but only adding this dependency to the web console pom.xml did not solve the problem, so I'm looking at it as well. Would you mind assigning both Jiras to me? Thanks Sérgio Em sex., 4 de jul. de 2025 às 09:18, Matt Pavlovich <mattr...@apache.org> escreveu: > Hi Sergio- > > Thank you for monitoring the list and providing the fix. Are you able to > make another PR for this fix? > > Thanks, > Matt Pavlovich > > > On Jul 3, 2025, at 1:14 PM, Sérgio Damo de Lemos < > sergio.d.le...@gmail.com> wrote: > > > > Hello everyone, > > > > I was the author of the change in the Web Console. I apologize if my > chance > > broke any functionality. I have created a JIRA issue > > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9739&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436122889790%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=iwUTT3QdM9X%2FR1ZlHJk%2FkgbrEUHx7yi6JqX%2Bq3IPqY0%3D&reserved=0<https://issues.apache.org/jira/browse/AMQ-9739>>for > > this, I believe I > don't > > have permission to assign the issue, could anyone assign it to me? I will > > submit a pull request today. > > > > The issue happens because of the "upgrade-insecure-requests" CSP > > header, which tells the browser to automatically upgrade to HTTPS. > Changing > > the jetty.xml from > > > > ``` > > ... > > <bean id="header" > > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > > <property name="pattern" value="*"/> > > <property name="name" > value="Content-Security-Policy"/> > > <property name="value" > > value="upgrade-insecure-requests; style-src-elem 'self'; style-src > 'self'; > > img-src 'self'; script-src-elem 'self'; default-src 'none'; object-src > > 'none'; frame-ancestors 'none'; base-uri 'none';" /> > > </bean> > > <!-- More relaxed rules to allow browsers to properly > > render XML --> > > <bean id="header" > > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > > <property name="pattern" value="/admin/xml/*"/> > > <property name="name" > value="Content-Security-Policy"/> > > <property name="value" > > value="upgrade-insecure-requests; style-src-elem 'self' 'unsafe-inline'; > > style-src 'self'; img-src 'self' data:; script-src-elem 'self'; > default-src > > 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" /> > > </bean> > > ... > > ``` > > > > to > > > > ``` > > ... > > <bean id="header" > > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > > <property name="pattern" value="*"/> > > <property name="name" > value="Content-Security-Policy"/> > > <property name="value" value="style-src-elem 'self'; > > style-src 'self'; img-src 'self'; script-src-elem 'self'; default-src > > 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" /> > > </bean> > > <!-- More relaxed rules to allow browsers to properly > > render XML --> > > <bean id="header" > > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > > <property name="pattern" value="/admin/xml/*"/> > > <property name="name" > value="Content-Security-Policy"/> > > <property name="value" value="style-src-elem 'self' > > 'unsafe-inline'; style-src 'self'; img-src 'self' data:; script-src-elem > > 'self'; default-src 'none'; object-src 'none'; frame-ancestors 'none'; > > base-uri 'none';" /> > > </bean> > > ... > > ``` > > > > Should solve the problem. Apparently Chrome handles this with no issues, > > but I was able to reproduce on Safari. > > > > Regards, > > Sérgio > > > > > > Em qui., 3 de jul. de 2025 às 05:41, William Crowell > > <wcrow...@perforce.com.invalid> escreveu: > > > >> JB, > >> > >> Thanks for your reply. Is there any documentation on how to set this > up? > >> This was a bit of a surprise. > >> > >> > >> Regards, > >> > >> > >> William Crowell > >> > >> > >> > >> From: Jean-Baptiste Onofré <j...@nanthrax.net> > >> Date: Thursday, July 3, 2025 at 7:56 AM > >> To: wcrow...@perforce.com.invalid <wcrow...@perforce.com.INVALID> > >> Cc: users@activemq.apache.org <users@activemq.apache.org> > >> Subject: Re: What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where > >> the images do not show up on the web user interface? > >> > >> Hi > >> > >> This is due to new "security" enforcement added to the WebConsole. > >> > >> If you have "custom" images, then you have to update the configuration > >> in the jetty.xml to allow this. > >> > >> Regards > >> JB > >> > >> On Wed, Jul 2, 2025 at 6:37 PM William Crowell > >> <wcrow...@perforce.com.invalid> wrote: > >>> > >>> Good afternoon, > >>> > >>> What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where the images > >> do not show up on the web user interface? > >>> > >>> 6.1.7 release notes: > >>> > >> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12311210%26version%3D12355749&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436122930041%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qGv8Xtyc5c6d01r%2BkucAX6jG0vBanrFfycY2TMUhViI%3D&reserved=0<https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12355749> > >> < > >> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12311210%26version%3D12355749&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436122963146%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=joBZbGYUC2L1BQkkGz64BKM6q3NGZEjpO%2Fgtw%2FlEqFM%3D&reserved=0<https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12355749> > >>> > >>> > >>> I have changed jetty.xml (which is the only thing I have changed since > >> untarring apache-activemq-6.1.7-bin.tar.gz), so that the broker listens > on > >> all IP addresses. It appears that the images and .css are not rendering > >> correctly on the 8161 port management console, and everything seems to > want > >> to use https. > >>> > >>> Was it this change? > >> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9697&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436122995160%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=8QjrTzD42PDE394QDH8oG1gixwvraz7Piwexl5J%2BI2I%3D&reserved=0<https://issues.apache.org/jira/browse/AMQ-9697> > >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9697&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436123024043%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OhHA2Z3Y1XnCuf2UOepEa6KgLw8Xn5TZiHj8i8Ei7S4%3D&reserved=0<https://issues.apache.org/jira/browse/AMQ-9697>> > >>> > >>> How do you fix this? > >>> > >>> Regards, > >>> > >>> William Crowell > >>> > >>> > >>> This e-mail may contain information that is privileged or confidential. > >> If you are not the intended recipient, please delete the e-mail and any > >> attachments and notify us immediately. > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > >> For additional commands, e-mail: users-h...@activemq.apache.org > >> For further information, visit: > >> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436123053682%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=d6h3VtqdDyiQkzsLFEhoJY0c1o6hsq4PSgKM8F8XqYU%3D&reserved=0<https://activemq.apache.org/contact> > >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436123082807%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6BHzyT0J57dFe4mwIPiZzoYfu8ihltTdz4CgNTAR66A%3D&reserved=0<https://activemq.apache.org/contact>> > >> > >> > >> > >> > >> CAUTION: This email originated from outside of the organization. Do not > >> click on links or open attachments unless you recognize the sender and > know > >> the content is safe. > >> > >> > >> This e-mail may contain information that is privileged or confidential. > If > >> you are not the intended recipient, please delete the e-mail and any > >> attachments and notify us immediately. > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7CWCrowell%40perforce.com%7Cab52294eb654460d7af308ddbb188215%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638872436123113198%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=W3cFiMS0UNlw2N6AiISyRh1ldiXcTzoESxS1XCG0lw0%3D&reserved=0<https://activemq.apache.org/contact> > > > CAUTION: This email originated from outside of the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe. This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
